Cybercops: Keeping ahead of online crims

By Rob Sharp

Independent·

18 Mar, 2009 02:05 AM5 mins to read

Finding the cyber crims isn't as easy as tracking IP addresses, say Symantec experts. Photo / Peter Meecham

In an anonymous-looking business park just outside Reading town centre in the UK is a room where row upon row of specially trained computer analysts sit staring at a bank of screens.

Several monitors display urgent-looking warnings. One shows a picture of a globe, spinning angrily. Another has close- ups of regions of the world highlighted as criminal "hotspots". These, my companions tell me, are areas vulnerable to attack from nefarious online activity.

As the names of companies coming under bombardment from web criminals scrolls down a third screen nearby, the overall feeling is disconcerting – it seems that no one is safe from this shifting, faceless enemy.

You could be forgiven for thinking this is the set of a hacker film like Sneakers. In fact, it is the UK operation, or nerve centre, of Symantec – one of the world's largest anti-virus companies, the owner of the Norton AntiVirus program, and the turn-to defence for global super-corporations trying to nip computer threats in the bud.

At the moment, the likes of Symantec have their hands full. The online community has seen an explosion in activity over the past 12 months as the quantity of "malware" (essentially, software designed to damage people's computers) has multiplied by a factor of five.

The reason, Symantec says, is the proliferation of organisations creating such software. These criminal clans hire programmers to create lucrative mechanisms for stealing credit-card information, and even sponsor computer science students through college.

"A group of specialised [experts] can create a larger number of new threats than a single malicious code author can, bringing about economies of scale and therefore an increased return on investment," said a recent Symantec report.

Some modern malware can create download updates to make it change form and become harder to fight. It can also exploit the likes of Twitter and Facebook to lure people into giving out their bank details.

Symantec's security chief, Jim Hart, gives me a tour of the HQ. It is his team's job to respond to threats that might be facing Symantec's corporate clients. When detected, this army of some 30 minions issue patches and then inform their clients' internal IT departments of any security breaches.

"We are looking at criminal activity 24/7," Hart says. "What we do is health control. If we see one of the networks we are monitoring hook up to an IP address, this means there is data being transferred. And if that IP address is on our blacklist, we know that there is some kind of bad activity going on. This could be the theft of information or bank details. Then, for us, it's like a game of whack-a-mole. We see the infected machines and then we clean them – we hit the infections over the head."

Later, in a separate room, I meet one of Symantec's senior computer scientists, Guy Bunker, who has the Matrix-like moniker of "chief architect". He says that, while Symantec may be able to tell which servers or IP addresses are collecting such information, the location of these computers may not help track down those who are ultimately responsible.

"One of the main problems in trying to chase those behind viruses is that it tends not to be the people in the country that is doing the attacking," Bunker explains. "The villains might be using Chinese servers, but it could be someone in America pulling the strings. It is like giving someone a remote control and access over your machine, which they can then use to do their evil bidding."

He says malware has evolved to become smarter. To begin with, criminals – anyone trying to create spam, say, or to "phish" (to obtain bank-account information), could program a virus or malware from base code (the "building blocks" programmers use to create software).

Now, people can send out a million versions of a virus. Each of these is subtly different from the last. Like human antibodies, which our bodies use to attack biological pathogens, many examples of virus detection software rely on recognising certain lines of code. If this code is constantly morphing, it becomes difficult to detect.

Some viruses can even download updates. In the "old days" people just did it to cause trouble – now, they are trying to do it to get money.

"The problem about tracking down the people behind these things is that they move around so quickly. Many of the servers used have a lifespan of only 10 days," Bunker says.

"Some countries are better than others at shutting them down. The countries that host them tend to be the ones with looser internet security, or those that have just installed broadband and have not got fully operational security infrastructures up and running."

Peru has been fingered as a country at risk. One of the main reasons for this is that the country's broadband use has exploded over the past two years, and there is a lag between the installation of broadband and the use of online security programs. A similar issue was seen recently in Russia and China, which still have some of the highest incidences of online crime in the world.

Bunker explains how this "underground economy" of criminals has grown in size. "When I was on my first computer in the 1980s I spent hours typing in games from magazines," he says. "It's now the same with the growth of malware. Large teams of people are involved."

Someone who writes a successful piece of malware can earn as much as